Huawei E3372 LTE modding

Huawei E3372 LTE stick supports all the LTE/4G frequencies used by Croatian providers (VIPnet uses 1800 MHz, Hrvatski telekom uses the 1800 MHz band in cities and 800 MHz in rural areas) and costs an arm and a leg if bought network-locked from Croatian telecom (HRK 450 /60 € contract-free). Luckily, you can get it for about 30 euros on eBay, fully unlocked.

Since my plan was to find out which frequency HT is using in my area, I tried to sniff it out from the statistics page, but were ultimately unsuccesful in doing so. The firmware I had in my E3372 was customised for Latvia’s LMT and did have signal quality info, but there was no way I could select individual frequency bands, only 2G/3G/HDSPA/4G. Then I tried out a bunch of available firmware packages found on this Austrian forum, but stock versions were more limited than the one I had, while modded versions would simply not flash.

Then I tried reflashing the Huawei to act as a surf-stick, with emulated modem interfaces. Huawei’s AT command set is fairly well-documented, but I was still unable to switch off individual frequency bands so I could find out whether I’m using 800 or 1800 MHz.

Huawei E3372h is very popular in Russia, so the 4pda forum has a lot of information and solutions for it, but even if you can read Russian Cyrillic script and understand a bit of Russian (or know how to use Gooogle Translate), you still have to be logged in to download. That process requires registration and solving not one, but two CAPTCHA’s in Russian. After a lot of work, I registered an account – the CAPTCHA on the registration page wants you to add up two numbers visible in the image (XX плюс XX равно or “XX plus XX equals”), but the CAPTCHA on the login page is a hell to solve because it gives you a four-digit number, in words, written in Russian cursive (an example in regular, ‘print’ Cyrillic: девять тысяч восемьсот сорок семь or devyat’ tysyach vosem’sot sorok sem’ or nine thousand eight hundred and forty seven).

Once I solved that, I was back in the game. The forum has detailed instructions on which firmware versions can be flashed out-of-the-box, how to modify the WebUI, how to get telnet/ADB running and how to switch the modem to DEBUG mode, which exposes its control ports.

I’ve used some of the stuff I found there, simplified some things and tested all of it on a new Huawei E3372 straight out of the box, so a standard disclaimer is in order: all of this stuff worked for me, it should work for you, but please don’t come crying if you mess something up. You’ve been warned. Now, if you do want to make your Huawei E3372h-153 more usable, do read all of the instructions before you start fiddling with it because the first couple of points are a way to manually mod the stock firmware. If you don’t care for that version, you can skip to step 6, flash an appropriate firmware, do steps 1-3 and then just simply flash a modded firmware, ignoring steps 4 and 5.

1. Activating DEBUG mode

The first step in modding the stick is to switch it to DEBUG mode. This gives you access to additional COM ports we’ll use to unlock the modem and run busybox.

The switching procedure requires you to POST some XML to the modems API, which is usually at http://192.168.8.1/CGI

This is what you need to post:

1

2

3

4

5

6

7

8

9

10

11

<?xml version="1.0"encoding="UTF-8"?>

<api version="1.0">

<header>

<function>switchMode</function>

</header>

<body>

<request>

<switchType>1</switchType>

</request>

</body>

</api>

Scripts and curl.exe necessary for the above procedure can be found here.

The calculator has the HEX parts you need printed in red and blue, so copy/paste the required parts into CalculatorOEM as shown and click on Подобрать код. After a couple of minutes (the calculations do take a lot of time and it may appear as if the program is not responding) you’ll get your OEM key. Write it down, you’ll need it later. You can get the NCK, the network unlock code, the same way, just replace 50502 with 50503 in the AT command.

Reset the modem:
AT^RESET
Once it boots up and the WebUI opens in your browser, switch it to DEBUG mode once again.

3. Starting telnet/busybox

Now use Huawei Modem Terminal to connect to the “FC – ShallB” port.

Paste your OEM code in the “Send” box and hit Enter. The modem should reply:

1

2

3

Recieve:Login success

Recieve:EUAP>

Recieve:EUAP>

Run busybox/telnet by issuing the following command

1

busybox telnetd-l/bin/sh

Now you can fire up your favourite telnet client (PuTTy, KiTTY) and open a Telnet connection to port 23, host IP 192.168.8.1

4. Autorun of adb and telnet

Download the necessary files, copy them on a MicroSD card and put it in the Huawei. Download and unpack this archive to the root folder of your SD card: ADB Daemon

Now you can try to
reboot your Huawei. Telnet and ADB should be accessible without the need to switch to DEBUG mode.

5. Replacing the webUI

Download the necessary files and copy them to your MicroSD card. You’ll need the modded full WebUI: webui17.100.06.00.03mod1.0 and nand tools if you want to backup your existing WebUI, although there are more ways of doing that.

Provided that you’ve completed steps 1-3, open a Telnet connection to the Huawei and, if needed, mount the SD card.

You can also make a backup of your existing WebUI if you feel so inclined. To restore any of these three types of backups, you’ll need telnet access.

In case of any trouble, try erasing the userdata or reverting the Huawei to factory settings. This wasn’t necessary in my case, but if you need a way of doing it, use the following scripts: erase_userdata_e3372.rar

6. Flashing a patched kernel which enables you to flash modded firmware

I couln’t find a patched kernel for the stock fimware I got with my Huawei, but you can always re-flash it to a supported version. Flash one of the following firmware versions:

1

2

3

4

22.200.03.00.1134

21.180.01.00.00

21.180.01.00.143

22.180.05.00.00

You can find stock firmware on this Austrian forum, use the first one under “HI- Link Offiziell E3372h” (22.180.05.00.00).

If you do flash it after you’ve completed steps 1-5, you’ll have to redo steps 1-3 and then just flash a modded firwmare file/webUI.

If all is well, you can reset your modem and flash a firmware/WebUI of your choosing (with or without ADB/telnet, etc). Just make sure it’s marked “M”, which means that it’s already modded to accept custom firwmare.